Parity with opaque session tokens

lcrilly · lcrilly · commit eee29d22e1a8 · 2019-02-08T15:35:44.000Z
diff --git a/opaque_session_token/frontend.conf b/opaque_session_token/frontend.conf
@@ -22,7 +22,10 @@ server {
     include conf.d/openid_connect.server_conf; # Authorization code flow and Relying Party processing
 
     # OpenID Connect Provider (IdP) configuration
-    set $oidc_jwt_keyfile     /etc/nginx/my_idp_jwk.json;
+    resolver 8.8.8.8; # For DNS lookup of IdP endpoints;
+    subrequest_output_buffer_size 32k; # To fit a complete tokenset response
+
+    set $oidc_jwt_keyfile     /etc/nginx/my_idp_jwk.json; # URL when using 'auth_jwt_key_request'
     set $oidc_authz_endpoint  "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth";
     set $oidc_token_endpoint  "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token";
     set $oidc_client          "my-client-id";
@@ -35,6 +38,7 @@ server {
         # This site is protected with OpenID Connect
         auth_jwt "" token=$session_jwt; # Obtain JWT from key-value store
         auth_jwt_key_file $oidc_jwt_keyfile;
+        #auth_jwt_key_request /_jwks_uri; # Requires NGINX Plus R17+
 
         # Absent/invalid OpenID Connect token will (re)start auth process
         error_page 401 @oidc_auth;
diff --git a/opaque_session_token/openid_connect.server_conf b/opaque_session_token/openid_connect.server_conf
@@ -1,3 +1,18 @@
+    location = /_jwks_uri {
+        # This is where the JSON Web Key Set is fetched from the IdP and cached
+        internal;
+        proxy_cache jwk;
+        proxy_pass $oidc_jwt_keyfile;
+
+        # This configuration ignores all response headers that influence caching,
+        # and instead sets a fixed validity period before the JWK is re-fetched.
+        # See http://nginx.org/r/proxy_cache for all configuration options
+        proxy_cache_valid 200 12h;
+        proxy_cache_lock on;
+        proxy_cache_use_stale error timeout updating;
+        proxy_ignore_headers Cache-Control Expires Set-Cookie;
+    }
+
     location @oidc_auth {
         # TODO: if $auth_token then delete the expired/invalid entry from keyval
 
@@ -39,7 +54,6 @@
         # to construct the OpenID Connect token request, as per:
         #  http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
         internal;
-        resolver 127.0.0.1; # For DNS lookup of $oidc_token_endpoint;
         gunzip   on; # Decompress if necessary
 
         proxy_set_header  Content-Type "application/x-www-form-urlencoded";
diff --git a/openid_connect.server_conf b/openid_connect.server_conf
@@ -1,5 +1,5 @@
     location = /_jwks_uri {
-	# This is where the JSON Web Key Set is fetched from the IdP and cached
+        # This is where the JSON Web Key Set is fetched from the IdP and cached
         internal;
         proxy_cache jwk;
         proxy_pass $oidc_jwt_keyfile;
@@ -10,9 +10,7 @@
         proxy_cache_valid 200 12h;
         proxy_cache_lock on;
         proxy_cache_use_stale error timeout updating;
-        proxy_ignore_headers Cache-Control;
-        proxy_ignore_headers Expires;
-        proxy_ignore_headers Set-Cookie;
+        proxy_ignore_headers Cache-Control Expires Set-Cookie;
     }
 
     location @oidc_auth {
@@ -35,7 +33,7 @@
         js_content oidcCodeExchange; # nginScript function to obtain JWT and issue cookie
         add_header Set-Cookie "auth_token=$auth_token; HttpOnly;";
 
-        # Catch errors from oidc_codeExchange()
+        # Catch errors from oidcCodeExchange()
         # 500 = token validation error, 502 = error from IdP, 504 = IdP timeout
         error_page 500 502 504 @oidc_error; 
 
